Sophos Principal Virus Research Vanja Svacjer has posted a fascinating blog today about his discovery of malware which appears to target Diebold cash machines.
You can read the full details in Vanja’s blog post, but I thought it might be a good idea to explain what we’re talking about here.
Firstly, this malware entered our labs in the last week. Like most of the malware we see these days, we didn’t do an indepth analysis of it. To be honest, it’s not necessary to look that deeply into most malware to develop reliable protection against it.
It was only when Vanja heard murmurings from a friend of his about ATM-infecting malware that he hunted through recent samples submitted to our labs to see if he could find any evidence. Searching through recently received samples, Vanja came across some code that had been delivered to us and other security companies via an anonymous virus submission website. Clearly, because these services are largely anonymous, we have no way of knowing whether it was a concerned financial institution or police authority who uploaded the code.
The malicious code, which Sophos detects as Troj/Skimer-A, contained references to Diebold DLLs and appeared to be sending instructions that would assist in the stealing of PINs and information from cards entered into the machine.
In addition, it appears that the malicious code is designed to skim money from accounts in Russian, Ukrainian and American currency.
Now, obviously, we don’t have our very own ATM machine to test the code on, so we haven’t been able to confirm 100% that it works. However, looking at the code makes us believe that it could be possible that a criminal could enter a specially crafted card into an infected ATM, which would then instruct the ATM to print out encoded information about stolen credit cards and PINs onto what is normally the receipt slip.
That information could then be used for criminal purposes, such as creating phoney credit cards.
This is, of course, an educated guess as we cannot prove it at the moment. However, if true the big challenge would be for the criminals to install the malicious software onto the ATMs in the first place – it’s not as though they have a floppy disk drive sticking out of the wall for the public to use!
And it’s this which makes us think that possibly the code was designed to be installed by someone who has physical access to the ATM machines without alarms recognising it was being tampered with. One possible entry point would be somewhere along the manufacturing line of the ATM device.
After all, we’ve seen banking equipment tampered with along the production chain before.